diff --git a/Vagrantfile b/Vagrantfile index 3dbb28c56c..ec7423e8e2 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -11,57 +11,6 @@ Vagrant.configure("2") do |config| # so the key insertion feature should be disabled. config.ssh.insert_key = false - # The staging hosts are just like production but allow non-Tor access - # for the web interfaces and ssh. - config.vm.define 'mon-staging', autostart: false do |staging| - if ENV['SECUREDROP_SSH_OVER_TOR'] - config.ssh.host = find_ssh_aths("mon-ssh-aths") - config.ssh.proxy_command = tor_ssh_proxy_command - config.ssh.port = 22 - elsif ARGV[0] == "ssh" - config.ssh.host = "10.0.1.3" - config.ssh.port = 22 - end - staging.vm.hostname = "mon-staging" - staging.vm.box = "bento/ubuntu-20.04" - staging.vm.network "private_network", ip: "10.0.1.3" - staging.vm.synced_folder './', '/vagrant', disabled: true - staging.vm.provider "libvirt" do |lv, override| - lv.video_type = "virtio" - end - end - - config.vm.define 'app-staging', autostart: false do |staging| - if ENV['SECUREDROP_SSH_OVER_TOR'] - config.ssh.host = find_ssh_aths("app-ssh-aths") - config.ssh.proxy_command = tor_ssh_proxy_command - config.ssh.port = 22 - elsif ARGV[0] == "ssh" - config.ssh.host = "10.0.1.2" - config.ssh.port = 22 - end - staging.vm.hostname = "app-staging" - staging.vm.box = "bento/ubuntu-20.04" - staging.vm.network "private_network", ip: "10.0.1.2" - staging.vm.synced_folder './', '/vagrant', disabled: true - staging.vm.provider "virtualbox" do |v| - v.memory = 1024 - end - staging.vm.provider "libvirt" do |lv, override| - lv.memory = 1024 - lv.video_type = "virtio" - end - staging.vm.provision "ansible" do |ansible| - ansible.playbook = "install_files/ansible-base/securedrop-staging.yml" - ansible.inventory_path = "install_files/ansible-base/inventory-staging" - ansible.verbose = 'v' - # Taken from the parallel execution tips and tricks - # https://docs.vagrantup.com/v2/provisioning/ansible.html - ansible.limit = 'all,localhost' - ansible.raw_arguments = Shellwords.shellsplit(ENV['ANSIBLE_ARGS']) if ENV['ANSIBLE_ARGS'] - end - end - # The prod hosts are just like production but are virtualized. # All access to SSH and the web interfaces is only over Tor. config.vm.define 'mon-prod', autostart: false do |prod| @@ -72,7 +21,7 @@ Vagrant.configure("2") do |config| end prod.vm.hostname = "mon-prod" prod.vm.box = "bento/ubuntu-20.04" - prod.vm.network "private_network", ip: "10.0.1.5", virtualbox__intnet: internal_network_name + prod.vm.network "private_network", ip: "10.0.1.5" prod.vm.synced_folder './', '/vagrant', disabled: true prod.vm.provider "libvirt" do |lv, override| lv.video_type = "virtio" @@ -87,11 +36,8 @@ Vagrant.configure("2") do |config| end prod.vm.hostname = "app-prod" prod.vm.box = "bento/ubuntu-20.04" - prod.vm.network "private_network", ip: "10.0.1.4", virtualbox__intnet: internal_network_name + prod.vm.network "private_network", ip: "10.0.1.4" prod.vm.synced_folder './', '/vagrant', disabled: true - prod.vm.provider "virtualbox" do |v| - v.memory = 1024 - end prod.vm.provider "libvirt" do |lv, override| lv.memory = 1024 lv.video_type = "virtio" @@ -116,11 +62,8 @@ Vagrant.configure("2") do |config| config.vm.define 'apt-local', autostart: false do |prod| prod.vm.hostname = "apt-local" prod.vm.box = "bento/ubuntu-20.04" - prod.vm.network "private_network", ip: "10.0.1.7", virtualbox__intnet: internal_network_name + prod.vm.network "private_network", ip: "10.0.1.7" prod.vm.synced_folder './', '/vagrant', disabled: true - prod.vm.provider "virtualbox" do |v| - v.memory = 1024 - end prod.vm.provider "libvirt" do |lv, override| lv.memory = 1024 lv.video_type = "virtio" @@ -177,12 +120,3 @@ def tor_ssh_proxy_command end return "#{base_cmd} 127.0.0.1:9050 %h %p" end - -# Create a unique name for the VirtualBox internal network, -# based on the directory name of the repo. This is to avoid -# accidental IP collisions when running multiple instances -# of the staging or prod environment concurrently. -def internal_network_name - repo_root = File.expand_path(File.dirname(__FILE__)) - return File.basename(repo_root) -end diff --git a/devops/scripts/create-staging-env b/devops/scripts/create-staging-env index 3b9a2c7f86..8b296be94d 100755 --- a/devops/scripts/create-staging-env +++ b/devops/scripts/create-staging-env @@ -2,7 +2,6 @@ # Wrapper script to determine which VM driver is appropriate for the staging # environment, given the host OS and available tooling. Supports: # -# * VirtualBox (the default) # * Libvirt/KVM # * Qubes (via Admin API) # diff --git a/devops/scripts/select-staging-env b/devops/scripts/select-staging-env index b11ecb514f..0880abac15 100755 --- a/devops/scripts/select-staging-env +++ b/devops/scripts/select-staging-env @@ -2,7 +2,6 @@ # Wrapper script to determine which VM driver is appropriate for the staging # environment, given the host OS and available tooling. Supports: # -# * VirtualBox (the default) # * Libvirt/KVM # * Qubes (via Admin API) # @@ -26,8 +25,9 @@ elif [[ "${OSTYPE:-}" == "linux-gnu" ]]; then # Default to Libvirt for Linux users, which works well with Tails VM virtualization. securedrop_vm_provider="libvirt" else - # Default to VirtualBox, since it's the safest bet. - securedrop_vm_provider="virtualbox" + # We previously maintained Virtualbox support, but don't any longer. Should we? + echo "WARNING: Unsupported platform. Libvirt staging environment may not work properly." + securedrop_vm_provider="libvirt" fi # Expect the scenario to reside in the molecule/ directory. diff --git a/install_files/ansible-base/roles/common/tasks/post_ubuntu_install_checks.yml b/install_files/ansible-base/roles/common/tasks/post_ubuntu_install_checks.yml index 1dba316ad3..d91e5d6609 100644 --- a/install_files/ansible-base/roles/common/tasks/post_ubuntu_install_checks.yml +++ b/install_files/ansible-base/roles/common/tasks/post_ubuntu_install_checks.yml @@ -31,6 +31,8 @@ tags: - dns + # These services will be inside staging VMs via the Bento boxes, + # even if those boxes are running on libvirt. - name: Disable VirtualBox services to avoid conflict with systemd-timesyncd. systemd: name: "{{ item }}" diff --git a/molecule/testinfra/common/test_grsecurity.py b/molecule/testinfra/common/test_grsecurity.py index c41fb0ca35..6927e27827 100644 --- a/molecule/testinfra/common/test_grsecurity.py +++ b/molecule/testinfra/common/test_grsecurity.py @@ -140,17 +140,6 @@ def test_grsecurity_paxtest(host): host.run("apt-get remove -y paxtest") -@pytest.mark.skip_in_prod -def test_grub_pc_marked_manual(host): - """ - Ensure the `grub-pc` packaged is marked as manually installed. - This is necessary for VirtualBox with Vagrant. - """ - c = host.run('apt-mark showmanual grub-pc') - assert c.rc == 0 - assert c.stdout.strip() == "grub-pc" - - def test_apt_autoremove(host): """ Ensure old packages have been autoremoved.